[keycloak-dev] Cache empty result for client service account user lookup

Ioan Eugen Stan ieugen at netdava.com
Thu Sep 19 13:44:45 EDT 2019 

Hi, 

You probably did it but I am going to say it anyway. You can add an index manually without issues. The index is transparent and probably will not aftect inserts.  this is a workaround. Very nice of you for reporting it. 

I don't know if/how keycloak handles the DB details => are there guides on how to handle situations like the above, in the db.

Personally I chose to embrace SQL and prefer it to Java whenever possible. 



Eugen Stan
Netdava International


	  Mesaj original  



De la: johannes at kodet.no
Trimis: 19 septembrie 2019 20:26
Către: keycloak-dev at lists.jboss.org
Subiect: [keycloak-dev] Cache empty result for client service account user lookup


We have a performance issue with the token exchange service in a realm
with a large amount of users.

The problem seems to be that token exchange uses client permissions to
evaluate if a client to client token exchange is allowed. The client
permissions evaluator
(org.keycloak.services.resources.admin.permissions.ClientPermissions#canExchangeTo)
creates a new ClientModelIdentity object which in the constructor also
loads the client's service account user model, if one exists.
The service account user lookup result for clients without service
account enabled, isn't cached. Since the service_account_client_link
column in the user_entity database table isn't indexed, this lookup
causes a table scan which takes several seconds for each token
exchange.

One way to solve this, is to cache the empty service account user lookup.
I have pushed a proof of concept at
https://github.com/keycloak/keycloak/compare/master...knutz3n:cache-empty-client-service-account-result

Is this something you would consider merging? Do you have suggestions
for improvement on this fix? Do you know of other places which must
trigger an eviction in addition to
org.keycloak.services.managers.ClientManager#enableServiceAccount?

- Johannes
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list